Welcome to Geeklog, Anonymous Monday, December 23 2024 @ 02:58 am EST
Geeklog Forums
Article images too permissive
Status: offline
stavngaard
Forum User
Newbie
Registered: 10/27/03
Posts: 2
I have a problem: the images I upload as an administrator when posting an article, are stored in a folder that is generally readable.
So even if I have set the permissions so that you have to log in to see any article, anyone can just point their browser to the image URL and view it.
I have tried to CHMOD the images/articles folder and the file therein removing all rights for, but that does change the permissions.
I have also tried to install Gallery, but MySQL runs in safemode since it is on a shared www host.
How can I gain the possibility to upload photos under the geeklog security model?
So even if I have set the permissions so that you have to log in to see any article, anyone can just point their browser to the image URL and view it.
I have tried to CHMOD the images/articles folder and the file therein removing all rights for, but that does change the permissions.
I have also tried to install Gallery, but MySQL runs in safemode since it is on a shared www host.
How can I gain the possibility to upload photos under the geeklog security model?
12
15
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by stavngaard: So even if I have set the permissions so that you have to log in to see any article, anyone can just point their browser to the image URL and view it.
You need to know the name of the image first, which shouldn't be too easy to guess. Assuming, of course, that your webserver is configured such that it does not allow to browse directories (and if it does allow it, you may want to change that ASAP).
Quote by stavngaard: How can I gain the possibility to upload photos under the geeklog security model?
There isn't much that Geeklog can do here. The images must be publicly available or you won't be able to see them in your browser. Of course, you could password-protect the images directory, but that would be a minor pain for those users who actually have the permission to view the article.
bye, Dirk
12
12
Quote
Status: offline
stavngaard
Forum User
Newbie
Registered: 10/27/03
Posts: 2
Then, how does the image gallery integrations for GL enforce their permissions? Do they also use a public folder for the images? Not much protection in that.
This is kind of a newbie question, hope you don't mind: How can I password protect a folder on a shared www host as you suggest? in .htaccess?
This is kind of a newbie question, hope you don't mind: How can I password protect a folder on a shared www host as you suggest? in .htaccess?
16
14
Quote
Status: offline
exaurdon
Forum User
Regular Poster
Registered: 08/13/03
Posts: 107
For securing these images, there are a couple options, however they would all require fairly extensive understanding of PHP, http, and geeklog.
To protect images, you could place the images in a folder outside your html directory, but in a directory accesible by PHP. This will prevent access to those images by any web user. You can then create an image link to a PHP script. (i.e. ) (Yes, you can use php scripts as image links) That PHP script would then need to set its MIME type as an image, and it would need to read the image from the non-web directory, and return that image. (This requires a reasonable amount of effort, and I won't go into detail here, but I wanted to describe at least one method that is used.) The script could be writen, like any PHP script, to check the permissions of the user before retrieving the image.
(For an example of using a PHP script as an image, look at teh JPGraph project, a PHP-graph generation tool)
Exaurdon~
To protect images, you could place the images in a folder outside your html directory, but in a directory accesible by PHP. This will prevent access to those images by any web user. You can then create an image link to a PHP script. (i.e. ) (Yes, you can use php scripts as image links) That PHP script would then need to set its MIME type as an image, and it would need to read the image from the non-web directory, and return that image. (This requires a reasonable amount of effort, and I won't go into detail here, but I wanted to describe at least one method that is used.) The script could be writen, like any PHP script, to check the permissions of the user before retrieving the image.
(For an example of using a PHP script as an image, look at teh JPGraph project, a PHP-graph generation tool)
Exaurdon~
12
16
Quote
All times are EST. The time is now 02:58 am.
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content